[[aix:aix-proftpd]]
 
Trace: aix-proftpd

Table of Contents

AIX proFTPd Installation

INTRODUCTION

In order to satisfy the requirement for secure FTP using SSL certificates, initially for CST and documentum systems, an Open Source product “proFTPd” has been adopted.

“proFTPd” provides support for secure FTP (ftp over ssh), FTPS (ftp with ssl encryption) and normal FTP. FTP users require an SSL capable FTP client such as Filezilla or coreFTPLite in order to transfer files with FTPS.

With proFTPD, FTP users are locked into their home directory when performing FTP thereby providing additional security.

This document details how to install proFTPd on AIX for supported systems.

Minimal Requirements for Undertaking Work / Action

Root access to the AIX system on which proFTPD will be installed.

Access to the NIM server to download the proFTPd package and associated pre-requisite packages.

The following packages are required in order to provide SSL support, some may also be required for the non-SSL proFTPd (obtainable from the NIM server):

1. coreutils-5.2.1-2.aix5.1.ppc.rpm

2. gcc-4.0.0-1.aix5.3.ppc.rpm

3. gcc-cplusplus-4.0.0-1.aix5.3.ppc.rpm

4. libgcc-4.0.0-1.aix5.3.ppc.rpm

5. make-3.80-1.aix5.1.ppc.rpm

6. openssl-0.9.7g-2.aix5.1.ppc.rpm

7. openssl-devel-0.9.7g-1.aix5.1.ppc.rpm

8. openssl-doc-0.9.7g-1.aix5.1.ppc.rpm

9. proftpd-1.2.8-1.aix5.1.ppc.rpm (for non-SSL proFTPd)

Known Issues / Risks / Concerns

If the proFTPd configuration is set to require an SSL certificate then normal non-SSL FTP will not be possible.

Users must be able to SSH connect to the system in order to change expired passwords.

In order to prevent an FTP user from accessing a normal AIX shell then their shell should be set to “/usr/bin/passwd” so that they only have the facility to change their passwords if they connect with SSH.

The proftpd RPM (e.g: proftpd-1.2.8-1.aix5.1.ppc.rpm ) downloaded from the Linux toolbox does not support SSL. This can be installed and implemented where SSL support is not required (see the instructions in this document)

To provide SSL support then the source distribution must be downloaded and compiled with the mod_tls module (see the instructions in this document).

Install proFTPd without SSL

a) Download the proFTPd RPM from the following directory on the NIM server to /home/support on the server:

  • /export/nim/software/RPM/proftpd-1.2.8-1.aix5.1.ppc.rpm


b) Install the RPM and any additional packages required (all pre-reqs should be available on the NIM server in the /export/nim/software/RPM directory.

c) Update /etc/proftpd.conf to ensure that the following values have been specified: 

ServerType		inetd
Port			21
Umask			000
DefaultRoot 		~
SystemLog		/var/log/proftpd.log
DisplayLogin		/etc/ftpissue
DisplayConnect		/etc/ftpissue
RequireValidShell 	off

d) Update /etc/inetd.conf to change the ftp entry to the following value 

ftp     stream  tcp     nowait  root    /usr/sbin/proftpd      proftpd

e) Issue the following command to force inetd to re-read it’s configuration file: 

# refresh –s inetd

f) Verify that ftp works correctly and that it is now using proFTPd.

g) Verify that the ftp user is now locked into their home directory.

Install proFTPd with SSL

a) Download the proFTPd source from the following directory on the NIM server 

/export/nim/software/GNU_Source/proFTPd/ proftpd-1.3.0a.tar

b) Untar the file and cd to the new directory. Run the “make clean” command to ensure that no old configuration files are present.

c) Configure proFTPd to use the mod-tls module and compile: 

# ./configure –with-modules=mod_tls
# make
# make install

d) Verify that the mod-tls module is present in the compiled module: 

# cd /usr/local/sbin
# ./proftpd -l

The list should look like the following, including mod_tls: 

mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_auth_pam.c
mod_tls.c

e) Verify that the link in /etc/proftpd.conf points to /usr/local/etc/proftpd.conf

f) Update /etc/proftpd.conf to ensure that the following values have been specified: 

ServerType		inetd
Port			21
Umask			000
DefaultRoot 		~
SystemLog		/var/log/proftpd.log
DisplayLogin		/etc/ftpissue
DisplayConnect		/etc/ftpissue
RequireValidShell 	off

g) Create the /etc/ftpissue file from the /etc/issue file to provide a legal warning when users login to ftp.

h) Create the nogroup group definition if it does not exist: 

mkgroup id=209 admin=false users=nobody adms=root registry=files \ nogroup

i) Add the required TLS related statements to /etc/proftpd.conf for example: 

# Turn on SSL support
<IfModule mod_tls.c
TlsEngine                           on
TlsLog                                /var/log/tls.log
TlsProtocol                         SSLv23
# Are clients required to use FTP over TLS when talking to this server?
TlsRequired                        off
#
# Server certificates
TLSRSACertificateFile       /etc/ssl/docpsd.cert
TLSRSACertificateKeyFile /etc/ssl/docpsd.key
#
# CA the server trusts
#TLSCACertificateFile       /etc/ssl/certs/ca.crt
#
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient                 on
TLSOptions                       NoCertRequest
</IfModule>

j) Update your PATH to include /opt/freeware/bin to be used when running openssl to create certificates.

k) Create the SSL server key and an unencrypted version: 

# cd /etc/ssl
# openssl genrsa -des3 -out server.key 1024
# openssl rsa -in server.key -out ssl.key.pem

l) Create the SSL certificate signing request: 

# openssl req -new -key server.key -out server.csr

m) Download the “server.csr” file to your PC and forward to the BCC Certificate Authority server for signing. 

Point your browser at “ns0.brm.pri”
Select the “c.a” tab then select the link to the secure ca page.
Follow the instructions on the page to upload the “server.csr” file

n) You will receive an e-mail containing the signed certificate:

  • Cut and paste the certificate text from the e-mail to a file on the server (e.g docpsd.cert).
  • Move or copy the server.cert and server.key files to the /etc/ssl directory (Create the directory if required).
  • Update the /etc/proftpd.conf file TLS statements to point to the SSL key and certificate file

h) Update /etc/inetd.conf to change the ftp entry to the following value 

ftp     stream  tcp     nowait  root    /usr/local/sbin/proftpd proftpd

i) Issue the following command to force inetd to re-read it’s configuration file: 

# refresh –s inetd

j) Verify that the normal windows ftp client works correctly and that it is now using proFTPd.

k) Using an SSL capable ftp client (such as Filezilla or Core FTP Lite) verify that FTPS works correctly.

l) Verify that the ftp user is now locked into their home directory.

 
aix/aix-proftpd.txt · Last modified: 06/04/2022 10:02 by andrew